Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ACS 5.3 certificate based network access using AD

Problem

How to implement certificate based 802.1x authentication network access using ACS5.3 & external identity store as AD.

Solution

As far as EAP-TLS authentication is concerned, both LDAP and AD would serve the same purpose. However, in other aspects AD is much better than LDAP, as AD:

-allows you to use MS-Chap authentication, LDAP only allows PAP.

-allows machine authentication for domain clients, LDAP does not.

-allows nested group fetching, LDAP does not.

-allows cross domain/forest authentication, ACS does not supports it to the fullest as ACS does not support LDAP referrals.

Here is a quick reference for all the external dbs and what protocols they support:

Supporting protocols

Based on the your requirements for authenticating LAN users through switches using certificates (EAP-TLS), here is what you require:

1.) A server certificate for ACS generated by a Certification Authority (your inhouse CA.) Follow these steps:

Generating a Certificate Signing Request

Binding CA Signed Certificates

2.) The root CA certificate of the same CA who issued the server certificate for ACS. This root CA certificate has to/will be installed on all the LAN clients and on the ACS. This has to be done by the AD admin of your company or you can do it manually for every LAN client.

3.) A client certificate on all the LAN clients from your inhouse CA (preferable the same CA at step 1). This can be pushed through GPO by AD admins of your company. No manual effort required.

4.) Switch to be configured for authenticating the LAN users. Enable dot1x (802.1x). Here are the steps:

     a.) Catalyst 2950

     b.) Catalyst 3550

     c.) Catalyst 4500

     d.) Catalyst 6500

5.) ACS 5.3 to be integrated with AD

6.) ACS to be installed with the root CA certificate of the CA who issued the certificate to ACS. Additionally, install the root CA certificate of the CA who issued the certificate to the clients, (if it’s not the same CA.) Refer to this section of the document:

                              Install the Root CA Certificate on ACS 5.x

7.) A certificate authentication profile to be configured on the ACS for EAP-TLS authentication.

8.) An Identity sequence to be configured, so that you can fetch the group membership of the user from AD (required for assigning VLAN later).

9.) Authorization profiles to be configured on ACS for VLAN assignment using RADIUS attributes 64,65 and 81.

10.) Access service > Identity to be configured to point to the Identity Sequence.

11.) Access service > Authorization to be configured to check the group membership of the user from AD, and then assign different Authorization Profiles (created at step 9) to assign desired VLANs.

Reference

https://supportforums.cisco.com/message/3595926#3595926

3446
Views
9
Helpful
0
Comments